CVE-2025-30977 in WP Live Chat and Chatbots Plugin
Summary
by MITRE • 06/06/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaport Live Chat WP Live Chat + Chatbots Plugin for WordPress – Chaport allows Stored XSS. This issue affects WP Live Chat + Chatbots Plugin for WordPress – Chaport: from n/a through 1.1.5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/06/2025
This vulnerability represents a critical cross-site scripting flaw in the Chaport Live Chat WP Live Chat + Chatbots Plugin for WordPress, specifically affecting versions through 1.1.5. The issue stems from improper input sanitization during web page generation processes, creating a persistent XSS vector that allows attackers to inject malicious scripts into chat interfaces. The vulnerability is classified as stored XSS because malicious payloads persist in the application's database and execute whenever affected pages are rendered to users. This type of vulnerability directly maps to CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that enables attackers to inject client-side scripts into web pages viewed by other users.
The technical exploitation of this vulnerability occurs when administrators or users interact with chat interfaces that do not properly sanitize user inputs before storing and rendering them. Attackers can craft malicious payloads that, when stored in the chat system, execute in the context of other users' browsers. This creates a persistent threat where malicious scripts can steal session cookies, perform unauthorized actions on behalf of users, redirect them to malicious sites, or harvest sensitive information from the chat interface. The vulnerability is particularly dangerous in WordPress environments where administrators often have elevated privileges and may be exposed to these malicious scripts through chat interactions.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attack chains that compromise entire user sessions and potentially lead to full system compromise. Attackers can leverage this vulnerability to establish persistent backdoors through session hijacking, perform credential theft via cookie capture, or deploy additional malware through browser-based attacks. The stored nature of the XSS means that even users who do not actively interact with the chat system can be compromised when they view pages containing the malicious payloads. This vulnerability affects not only individual users but also the broader WordPress ecosystem where the plugin is deployed, potentially impacting multiple sites within the same network or organization.
Security mitigations for this vulnerability should focus on immediate patching of the affected plugin versions, implementing proper input validation and output encoding mechanisms, and establishing content security policies to prevent unauthorized script execution. Organizations should deploy web application firewalls to detect and block malicious payloads, conduct thorough security assessments of all installed plugins, and implement regular vulnerability scanning processes. The remediation process must include comprehensive input sanitization at all points where user data enters the system, particularly in chat interfaces and other interactive elements. Additionally, implementing proper access controls and user privilege management can limit the damage scope if exploitation occurs. This vulnerability demonstrates the critical importance of secure coding practices in web applications and highlights the necessity of following OWASP top ten security guidelines to prevent such persistent threats in content management systems.